Add support for te samhain in-binary password so that remote logging

works and add a readme on how to set this up properly.

security/samhain/Makefile

@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.6 2012/05/16 13:47:18 ajacoutot Exp $
+# $OpenBSD: Makefile,v 1.7 2012/05/18 10:28:05 robert Exp $
 
 COMMENT-main=		Samhain Intrusion Detection System - documentation
 COMMENT-client=		Samhain Intrusion Detection System - client
@@ -13,8 +13,8 @@ FULLPKGPATH-client=	security/samhain,-client
 PKGNAME-server=		samhain-server-${VERSION}
 
 REVISION-main=		2
-REVISION-client=	3
-REVISION-server=	2
+REVISION-client=	4
+REVISION-server=	3
 
 CATEGORIES=		security
 
@@ -76,6 +76,8 @@ post-install:
 .if empty(FLAVOR)
 	${INSTALL_DATA_DIR} ${PREFIX}/share/examples/samhain
 	${INSTALL_DATA} ${WRKSRC}/samhainrc ${PREFIX}/share/examples/samhain/
+	${INSTALL} -c -s -o root -g bin -m 700 \
+		${WRKSRC}/samhain_setpwd ${PREFIX}/sbin
 .else
 	${INSTALL_DATA_DIR} ${PREFIX}/share/examples/yule
 	${INSTALL_DATA} ${WRKSRC}/yulerc.template \

security/samhain/pkg/PLIST-client

@@ -1,10 +1,14 @@
-@comment $OpenBSD: PLIST-client,v 1.2 2012/05/11 09:38:28 ajacoutot Exp $
+@comment $OpenBSD: PLIST-client,v 1.3 2012/05/18 10:28:05 robert Exp $
+@extraunexec rm -rf %D/sbin/samhain.signed
 @extraunexec rm -rf /var/samhain/*
 @man man/man5/samhainrc.5
 @man man/man8/samhain.8
 @bin sbin/samhain
+@bin sbin/samhain_setpwd
+share/doc/pkg-readmes/${FULLPKGNAME}
 share/examples/samhain/
 share/examples/samhain/samhainrc
 @sample ${SYSCONFDIR}/samhainrc
 @sample /var/samhain/
 @rcscript ${RCDIR}/samhain
+@rcscript ${RCDIR}/samhain_signed

security/samhain/pkg/PLIST-server

@@ -1,4 +1,4 @@
-@comment $OpenBSD: PLIST-server,v 1.1.1.1 2012/05/11 09:24:23 robert Exp $
+@comment $OpenBSD: PLIST-server,v 1.2 2012/05/18 10:28:05 robert Exp $
 @newgroup _yule:698
 @newuser _yule:698:_yule:daemon:samhain user:/nonexistent:/sbin/nologin
 @extraunexec rm -rf /var/log/yule/*
@@ -14,6 +14,7 @@
 @bin sbin/yule
 @bin sbin/yule_setpwd
 @bin sbin/yulectl
+share/doc/pkg-readmes/${FULLPKGNAME}
 share/examples/yule/
 share/examples/yule/samhain.${FLAVOR}.init
 share/examples/yule/yulerc

security/samhain/pkg/README-client

@@ -0,0 +1,42 @@
+$OpenBSD: README-client,v 1.1 2012/05/18 10:28:05 robert Exp $
+
++-----------------------------------------------------------------------
+| Running ${FULLPKGNAME} on OpenBSD
++-----------------------------------------------------------------------
+
+A manual is available at:
+	http://la-samhna.de/samhain/manual/
+
+By default, samhain uses the SRP (Secure Remote Password) protocol, with
+a password that is embedded in the client binary, and a corresponding
+verifier that is in the server configuration file.
+
+To embed the password in the binary, there is a dummy password compiled in
+as placeholder, and a utility called samhain_setpwd is provided which can
+be used to change the embedded password.
+
+For convenience, the server has functions to generate a random password
+in the correct format.
+
+Server side
+===========
+
+generate a random password in the correct format:
+    $ yule -G
+
+and generate a corresponding entry for the server configuration file:
+    $ yule -P GENERATED_PASSWORD
+
+The generated entry has a string 'HOSTNAME' that you should replace with
+the fully qualified name of the client.
+This entry must then be placed in the [Clients] section of the yule
+configuration file.
+
+Client side
+===========
+
+change the password in the samhain binary:
+    $ samhain_setpwd ${TRUEPREFIX}/sbin/samhain signed GENERATED_PASSWORD
+
+This command will create the ${TRUEPREFIX}/sbin/samhain.signed binary
+which has to be used when you are connecting to the server.

security/samhain/pkg/README-server

@@ -0,0 +1,41 @@
+$OpenBSD: README-server,v 1.1 2012/05/18 10:28:05 robert Exp $
+
++-----------------------------------------------------------------------
+| Running ${FULLPKGNAME} on OpenBSD
++-----------------------------------------------------------------------
+
+A manual is available at:
+	http://la-samhna.de/samhain/manual/
+
+MySQL (InnoDB)
+==============
+
+Connect to MySQL, and create a user and database for Zabbix;
+
+    $ mysql -u root -p
+    mysql> create user samhain@localhost identified by 'password';
+    mysql> create database samhain;
+    mysql> grant all privileges on samhain.* to samhain@localhost;
+    mysql> flush privileges;
+    mysql> quit
+
+Then initialize the database from the files installed in
+${TRUEPREFIX}/share/examples/yule:
+
+    $ cd ${TRUEPREFIX}/share/examples/yule
+    $ mysql -usamhain -p samhain < mysql.sql
+
+PostgreSQL
+==========
+
+Assuming you have an administrative account named `postgres',
+you can create the 'samhain' user and database like this:
+
+    createuser -U postgres --pwprompt --no-superuser \
+      --createdb --no-createrole samhain
+    createdb -U samhain samhain
+
+And initialize the database:
+
+    $ cd ${TRUEPREFIX}/share/examples/yule
+    $ psql -U samhain samhain < samhain.postgresql.init

security/samhain/pkg/samhain_signed.rc

@@ -0,0 +1,9 @@
+#!/bin/sh
+#
+# $OpenBSD: samhain_signed.rc,v 1.1 2012/05/18 10:28:05 robert Exp $
+
+daemon="${TRUEPREFIX}/sbin/samhain.signed"
+
+. /etc/rc.d/rc.subr
+
+rc_cmd $1